config/templates/gentoo.moresecure.conf.in

5b99af0079813347d90c935ea540ed7f96dcea38Stéphane Graber# This derives from the global common config
5b99af0079813347d90c935ea540ed7f96dcea38Stéphane Graberlxc.include = @LXCTEMPLATECONFIG@/common.conf
5b99af0079813347d90c935ea540ed7f96dcea38Stéphane Graber
1609f0fbe1407e083f612a25475de2cb6b9954f7gza# Gentoo security oriented default configuration
cae3584efccc63f544c8748bd13d80e11bc79aefgza# This is a more security oriented container configuration
1609f0fbe1407e083f612a25475de2cb6b9954f7gza# "More" because this is far from fully secure
cae3584efccc63f544c8748bd13d80e11bc79aefgza# Looking for more working features and you trust your
cae3584efccc63f544c8748bd13d80e11bc79aefgza# Container user ? see gentoo.common.conf
cae3584efccc63f544c8748bd13d80e11bc79aefgza
cae3584efccc63f544c8748bd13d80e11bc79aefgza# do not mount sysfs, see http://blog.bofh.it/debian/id_413
bc19636d587fbabfbc2252f1bf4887fee87bb247Dennis Schriddelxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid,create=dir 0 0
bc19636d587fbabfbc2252f1bf4887fee87bb247Dennis Schriddelxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,create=dir 0 0
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
cae3584efccc63f544c8748bd13d80e11bc79aefgza
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# Capabilities
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# Uncomment these if you don't run anything that needs the capability, and
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# would like the container to run with less privilege.
cae3584efccc63f544c8748bd13d80e11bc79aefgza#
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# Dropping sys_admin disables container root from doing a lot of things
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# that could be bad like re-mounting lxc fstab entries rw for example,
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# but also disables some useful things like being able to nfs mount, and
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# things that are already namespaced with ns_capable() kernel checks, like
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# hostname(1).
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# lxc.cap.drop = sys_admin        # breaks systemd
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# lxc.cap.drop = net_raw          # breaks dhcp/ping
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# lxc.cap.drop = setuid           # breaks sshd,nfs statd
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# lxc.cap.drop = audit_write
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde# lxc.cap.drop = setpcap          # breaks journald
38d122cfbb38b64614f5b8b314e99285d5da03ceKarl-Johan Karlsson# lxc.cap.drop = sys_resource     # breaks systemd
38d122cfbb38b64614f5b8b314e99285d5da03ceKarl-Johan Karlssonlxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
00ec0cc72c0fb90f05b9e7dd293649cce88aec17Dennis Schridde
cae3584efccc63f544c8748bd13d80e11bc79aefgza# WARNING: the security vulnerability reported for 'cap_net_admin' at
cae3584efccc63f544c8748bd13d80e11bc79aefgza# http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
cae3584efccc63f544c8748bd13d80e11bc79aefgza# via JIT spraying (the BPF JIT module disabled on most systems was used
cae3584efccc63f544c8748bd13d80e11bc79aefgza# in the example, but others are suggested vulnerable) meant that users
cae3584efccc63f544c8748bd13d80e11bc79aefgza# with root in a container, that capability and kernel module may escape
cae3584efccc63f544c8748bd13d80e11bc79aefgza# the container. ALWAYS be extremely careful granting any process root
cae3584efccc63f544c8748bd13d80e11bc79aefgza# within a container, use a minimal configuration at all levels -
cae3584efccc63f544c8748bd13d80e11bc79aefgza# including the kernel - and multiple layers of security on any system
cae3584efccc63f544c8748bd13d80e11bc79aefgza# where security is a priority.  note that not only LXC but PAX (and
cae3584efccc63f544c8748bd13d80e11bc79aefgza# others?) were vulnerable to this issue.